Frontier AI cyber risk and the TSA 2021: Ofcom’s open letter to Communications Providers

In short: Ofcom has written to UK Communications Providers on 21 April 2026 to assess cyber risks from frontier AI, citing the AI Security Institute’s evaluation of Claude Mythos Preview. The duties already sit in section 105A of the Communications Act 2003 and the Telecommunications (Security) Act 2021 framework. CPs must now document assessment of frontier AI cyber risk as part of existing network security obligations.

By Rob Bratby, Managing Partner, Bratby Law. Chambers UK Band 2 (Telecommunications). Legal 500 Leading UK Telecoms Partner. 30+ years in telecoms regulation, including Oftel and senior operator roles.

On 21 April 2026, Ofcom’s Group Director for Infrastructure and Connectivity, Natalie Black CBE, wrote open letters to UK Communications Providers on the cyber security implications of frontier AI. The letter cites the AI Security Institute’s evaluation of Claude Mythos Preview as evidence of accelerating capability and points at the existing Telecommunications Security Code of Practice and NCSC guidance. Communications Providers are told to assess security risks from frontier AI models and to take appropriate mitigating action in line with existing security duties. This is supervisory escalation using existing statutory powers. It is not new regulation.

The regulatory framework Ofcom is invoking

The duty sits in section 105A of the Communications Act 2003, inserted by the Telecommunications (Security) Act 2021. Providers of a public electronic communications network or service must take such measures as are appropriate and proportionate to identify, reduce and prepare for security compromises. The definition of a security compromise in section 105A(2) is deliberately broad: any event that compromises availability, performance, functionality, or confidentiality of the network or service, and any unauthorised access, interference or exploitation.

Guidance on how to discharge those duties is set out in the DSIT Telecommunications Security Code of Practice (December 2022), issued under section 105E following the 40-day parliamentary procedure in section 105F. The Code sits alongside the Electronic Communications (Security Measures) Regulations 2022 and applies to Tier 1, Tier 2 and Tier 3 CPs on tiered compliance timelines. Ofcom monitors compliance and enforces breaches. Civil liability for failure to comply is preserved by section 105W: a person who sustains loss from a breach of the security duties can bring proceedings, subject to Ofcom’s consent. The enforcement machinery is in place. Until this letter, frontier AI was not identified as a priority risk within it.

What Ofcom’s letter actually does

The letter does three things. It makes the AI Security Institute’s 14 April 2026 evaluation of Claude Mythos Preview a documented supervisory concern: the AISI found the model succeeded on 73% of expert-level capture-the-flag tasks and was the first to complete a 32-step enterprise network attack range end-to-end on a weakly-defended target. It links the Ofcom position to the Kendall and Jarvis open letter of 15 April 2026, which told business leaders to prepare for frontier AI capability to rise quickly over the next year. And it directs CPs to the recent NCSC note on retaining defensive advantage.

Naming a specific commercial model is unusual for Ofcom, and deliberate. The AISI evaluation gives the regulator a verified reference point that is public, dated and independent. Citing it in supervisory correspondence converts a policy concern into an evidential anchor for future compliance conversations. The letter stops short of any formal direction. It is issued as a supervisory letter, not a notification of contravention or a confirmation decision. Ofcom has told CPs it will be in touch to take stock of progress: the open-letter mode is partnership, but it is explicitly time-limited partnership. The data protection side of the same regulatory push, directed at controllers under UK GDPR Article 32 rather than CPs under the TSA 2021, is covered separately in AI cyber threats and UK GDPR Article 32: controller duties after the DSIT open letter.

Parallel moves from financial sector regulators

Ofcom’s letter is part of a coordinated regulator response to the AISI Mythos evaluation. The Bank of England, FCA, HM Treasury and NCSC convened urgent discussions with major UK banks on 13 April 2026, before both the Kendall and Jarvis open letter and the Ofcom letter to CPs. UK banks have been given controlled access to Mythos to test their systems, and the Cross Market Operational Resilience Group, co-chaired by the Bank of England and UK Finance, has briefed financial sector chief executives. The Information Commissioner’s Office has been working the parallel data protection thread through its Tech Futures work on agentic AI in early 2026, which identifies cyber security as a novel risk vector, although the ICO has not yet issued an equivalent letter on frontier AI cyber risk. The same AISI Mythos evaluation is being read by all of these regulators as the evidential anchor.

Commercial and operational implications for CPs

Tier 1 and Tier 2 CPs should treat this letter as a trigger for four concrete steps. First, frontier AI cyber risk should be added to the security risk register maintained under the Code of Practice and reviewed at board level. The Ofcom letter now gives that review a named regulatory expectation; the absence of a documented risk assessment when Ofcom comes back to take stock will be visible. Second, third-party AI usage in the supply chain needs mapping. Frontier AI capability is not confined to models CPs deploy themselves; it reaches CPs through vendor tooling and through counterparty operations. The Cyber Security and Resilience Bill framework tightens supply-chain expectations across networked sectors, and the Ofcom letter signals that telecoms supervision is tracking the same logic.

Third, CPs should be ready for the follow-up conversation. Ofcom has said it will take stock. That means a meeting, a request for information under section 135 of the Communications Act 2003, or a request to see documented mitigations. CPs that have already been working through the 2025 telecoms security compliance cycle can extend that work to cover frontier AI without rebuilding the framework. Fourth, the civil liability route under section 105W is relevant for CPs that provide network services into other regulated customers. If a security compromise causes loss to a downstream enterprise customer, the existence of a regulator letter identifying a known risk vector strengthens the argument that the CP was on notice.

For CPs assessing whether they are in scope of the Tier 1, Tier 2 or Tier 3 classification under the Electronic Communications (Security Measures) Regulations 2022, or whether a proposed new service triggers the network security duties, see our guidance on regulatory perimeter and market entry. For CPs preparing for Ofcom follow-up, including responses to section 135 information requests, see investigations and enforcement support.

Viewpoint

This is Ofcom using the TSA 2021 toolkit exactly as designed: a Code of Practice in force, supervisory dialogue opened by letter, enforcement held in reserve. What it signals is that the regulator has decided frontier AI cyber risk is now squarely inside the telecoms security envelope, not an adjacent AI-policy conversation happening elsewhere in government.

In my experience of operator-side security compliance, the gap between having AI security thinking and having documented AI security thinking is months of work. CPs that treated the Kendall and Jarvis letter of 15 April as macro background will now need to accelerate. The Ofcom “we will be in touch” language is not pro-forma and the letter has named a specific model, which is rare. Operators that sit across multiple regulated regimes should expect supervisory consistency to follow from the shared evidential base. With BoE, FCA and NCSC already engaged on the financial sector and Ofcom now on telecoms, an ICO move on a frontier AI cyber framing of UK GDPR Article 32 controller duties looks like a question of weeks, not months.

Links

• Communications Act 2003, section 105A (duty to take security measures)
• Communications Act 2003, section 105E (codes of practice)
• DSIT Telecommunications Security Code of Practice (December 2022)
• Kendall and Jarvis open letter to business leaders, 15 April 2026
• AI Security Institute, evaluation of Claude Mythos Preview
• NCSC, retaining defensive advantage in the age of frontier AI cyber capabilities
• Ofcom’s strategic approach to AI, 2025/26

For advice on TSA 2021 compliance, responding to Ofcom supervisory correspondence, or documenting frontier AI cyber risk assessment within an existing Code of Practice framework, contact Rob Bratby at Bratby Law.